Wireless Access

Reply
Occasional Contributor I
Posts: 9
Registered: ‎10-09-2014

Need to disable traffic between users in master - local setup

Greeting Friends!!!

 

 

I am stuck a bit with an issue, need your help to solve this.

 

We have a master-local setup of 6 controller. 1 controller is master all other are local.

 

APs terminate on all the controllers.

 

I have enabled this feature " Deny inter-user traffic" and "Deny inter-user bridging" on all the 6 controller. Hence when 2 users are connected to APs terminating on same controller they are not able to ping.

This is an expected behavior and we need this feature.

 

The problem is seen, when one user terminating on AP going to controller 1 and the other user terminating on AP going to controller 2. They are able to ping. The 2 end users have the IP addresses from the same subnet.

 

It is like a security breach ... 

 

hence let me know how do I resolve this. Is there any other feature like " Deny inter-user traffic" which can disable the communication between the guests that are connected to different controllers.

 

Controllers are running with 6.1.3.2 code as of now.... If required we can upgrade....

 

 

MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: Need to disable traffic between users in master - local setup

[ Edited ]

U May create your own access role , that look like this (in each controller)

*Do it under the user role to your users are getting*

*Do 2 set of rules*

03-02-2015 11-13-45.png

03-02-2015 11-13-45.png

Dont forget to apply & save in the end.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Occasional Contributor I
Posts: 9
Registered: ‎10-09-2014

Re: Need to disable traffic between users in master - local setup

Thanks for the reply.

 

Do I need the PEF or any other license for this. If so, do I need the licence for all the controllers?

 

Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: Need to disable traffic between users in master - local setup

HI,

 

Yes, we need PEF license to create and apply any roles and policies. Policies always applied at the Local ( where the AP is terminated) hence PEF license is required in all the controllers wherever user traffic is getting processed .

 

Hope you got some more clarity.

 

Please feel free for any further query on this.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Need to disable traffic between users in master - local setup

yes this will require PEF and most likely on both.

 

also do keep in mind that on layer 2 the clients will see be able to communicate.

Occasional Contributor I
Posts: 9
Registered: ‎10-09-2014

Re: Need to disable traffic between users in master - local setup

Oh... But our main requirment is Layer2 users should not be able to communicate.

 

 

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Need to disable traffic between users in master - local setup

i had a ticket open for this: users from two different controllers being able to see each other (with an arp scan or such) while deny interface user routing / bridging was turned on. support told me this isn't possible to block at this moment.

 

do remember that actual useful communication on layer 2 isn't that easy most applications will use IP and that will be blocked. of course if your users want it bad enough there are probably methods.

 

you can also work around this to have your user from different controller end up in different subnets. then only using control lists is enough.

Search Airheads
Showing results for 
Search instead for 
Did you mean: